[sageabilly]

AOL doesn't support 2-factor authentication for email sign-in. If they did, then this entire debacle would [edit- replace "would" with "could"] have been stopped before it even started.

I'm also surprised that the government doesn't have more stringent guidelines about the private email use of its top officials.

[Splines]

It doesn't stop it, but it does raise the bar.

Since these guys knew how verizon works internally I wouldn't be surprised if they could forward his cell # somewhere else. Some 2FA systems require a PIN for auth, but they have his verizon one already, which is probably re-used everywhere.

[antsar]

This is why SMS- or phone-based 2FA is not a good idea. HOTP/TOTP is the right way to implement 2-factor auth.

    https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm
    https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

[azinman2]

And totally impractical for most people...

[antsar]

Google Authenticator is pretty easy to use, as are the alternatives. Also really easy to provision. Not sure how SMS is more practical than an offline code generator.

[azinman2]

First notice how "pretty easy" isn't the same as straightforward. Good luck getting my mom to figure it out.

If you lose your phone, upgrade to a new one, or erase and restore it you lose all your authenticator credentials. That doesn't happen with SMS.

If you're in a situation where security is paramount, then physical cards or authenticator are a better way to go. If you're 99.9% of the population, Sms is a far better solution.

[chishaku]

Just because a service offers 2-factor authentication doesn't mean people will use it.

[sageabilly]

You're right, I should have clarified that in my comment.

Not even offering it is a serious oversight on AOL's part for exactly this type of scenario- it makes it extremely easy for a motivated person to socially hack someone's email. However even if it is offered it has to be turned on to work, so then we'd be back where we started if it was off by default.

[castis]

Is there a term for this kind of response?

Its kind of obvious that not everyone will use it. However, not offering it when its somewhat trivial to do so seems like a no-brainer.

[chishaku]

I agree that AOL and most other services should offer 2fa. However, I disagree with the parent that the situation would not have occurred if AOL did offer 2fa because the subject in question would still be unlikely to use it.

[jdmichal]

> I'm also surprised that the government doesn't have more stringent guidelines about the private email use of its top officials.

It does. Guidelines don't stop people from doing things, especially when they're at the level where they think they're above such policies.

[cortesoft]

Even 2FA will have some mechanism for resetting the password without the second factor, because people lose their 2FA device (usually a phone) all the time. There has to be a way to recover from losing your 2FA device - given how easily the social engineering was shown to be here, I doubt that would help much.